tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <>
Subject Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Date Fri, 06 Feb 2015 16:58:54 GMT
Hash: SHA1

On 2/6/2015 2:21 AM, Brian wrote:
> Hello Mark,
> 1- No authentication at all, since the user authenticates sending a
> parameter in the query string.
> 2- I have two filters:
> "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has
> been working fine for years now) and.... CORS, yes!!! Actually, the
> CORS filter (org.apache.catalina.filters.CorsFilter) is the first
> filter in my web.xml file, so it is the first to run. This is the
> way I have configured it:
> <filter> <filter-name>CorsFilter</filter-name> 
> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
> <param-name></param-name> 
> <param-value>*</param-value> </init-param> <init-param> 
> <param-name></param-name> 
> <param-value>false</param-value> </init-param> </filter> 
> <filter-mapping> <filter-name>CorsFilter</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping>
> I added the CORS filter probably two months ago, and probably I
> have started seen the 403 errors since then, yes! And now that I
> think about it, probably it is the CORS filter the reason of the
> 403 indeed, since my API is being called not only from servers but
> also from Javascript running in all kind of browsers and maybe some
> of them don't deal with CORS properly. That would explain why the
> 403s happens ocasionally. In fact, I see this 403 ocurring in most
> of the cases by one specific user (authenticated by a parameter in
> the query string) that calls my API from javacript!
> In what conditions does this filter return a 403 error? What are
> the Headers involved when that happens? How can I avoid this
> problem? Where (on the internet) can I learn more about this
> specific problem?

CORS basically doesn't with Internet Explorer < 10.

IE < 8, and CORS does not work at all.
IE 8 - Microsoft has a 'special mechanism' for CORS
IE 9 - Microsoft breaks the 'special mechanism'
IE 10 - Microsoft tells people to use CORS

. . . been there, fought that

> Thanks Mark!
>> -----Original Message----- From: Mark Thomas
>> [] Sent: viernes, 06 de febrero de 2015
>> 04:47 a.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403
>> returned by Tomcat when this should not happen ever. How to find
>> out why this happens?
>> On 05/02/2015 23:14, Brian wrote:
>>> Hello David,
>>> Not, it is not the case. No exceptions whatsoever. And about
>>> 1/100 (or less) of
>> the requests return a 403 to the users, and all those requests
>> are doing the same thing.
>>> Thanks a lot for your help!
>> Is any authentication configured for this web application?
>> What filters are configured (the CORS filter might return a 403
>> for example)?
>> Mark

Version: GnuPG v2


This email is free from viruses and malware because avast! Antivirus protection is active.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message